[Snort-users] RE: 55808 window size [WAS: (no subject)]
fknobbe at ...652...
Tue Jun 24 16:23:01 EDT 2003
On Tue, 2003-06-24 at 16:11, Coyle, Brian wrote:
> As of this morning, I've now seen a couple of false positives from this rule.
> Occasionally, a source with legit traffic will start with a window size of
> 55808. Snort triggers on the 55808/SYN packet, but subsequent packets have
> a reduced window size. The IP Seq. numbers will also vary as expected for
> regular traffic.
Other normal traffic has odd Window sizes as well (58400, 63999, 65217,
56940, 17207, 58204, 24616, etc). Why everyone is chasing 55808 is
beyond me. Yeah, it was/is the common thing with some of these scans,
but everyone is using that Window size _by_itself_ as some kind of
identifier (i.e. Snort rule). That's absurd. .... Oh well, don't get me
started on some of these so-called "security researchers" (or
market-droids).... sometimes I wonder if they not "find" exploits in
their own marketing department...
Joe Stewart said in an Incidents post "Probably someone's idea of a joke
on the infosec community."
That "trojan" may not have been a joke, but the way some people made use
of the situation surely is a joke.
"Move on, nothing to see here." comes to mind...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users